Make ima_template_hash_algo_allowed a utility function and refector the compatibility checks in a couple places. This should unify the compatibility check and make the code more streamlined. Also, rename the i in hash_setup to algo. No functional change in this patch. Signed-off-by: GUO Zihua <guozihua@xxxxxxxxxx> --- v2: fix the check in hash_setup which is wrong --- security/integrity/ima/ima_main.c | 23 ++++++++++------------- security/integrity/ima/ima_template.c | 2 +- security/integrity/ima/ima_template_lib.c | 8 -------- security/integrity/ima/ima_template_lib.h | 8 ++++++++ 4 files changed, 19 insertions(+), 22 deletions(-) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 040b03ddc1c7..e7e1c5480ca7 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -28,6 +28,7 @@ #include <linux/fs.h> #include "ima.h" +#include "ima_template_lib.h" #ifdef CONFIG_IMA_APPRAISE int ima_appraise = IMA_APPRAISE_ENFORCE; @@ -45,17 +46,19 @@ static struct notifier_block ima_lsm_policy_notifier = { static int __init hash_setup(char *str) { struct ima_template_desc *template_desc = ima_template_desc_current(); - int i; + int algo; if (hash_setup_done) return 1; + algo = match_string(hash_algo_name, HASH_ALGO__LAST, str); + if (algo < 0) { + pr_err("invalid hash algorithm \"%s\"", str); + return 1; + } + if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) { - if (strncmp(str, "sha1", 4) == 0) { - ima_hash_algo = HASH_ALGO_SHA1; - } else if (strncmp(str, "md5", 3) == 0) { - ima_hash_algo = HASH_ALGO_MD5; - } else { + if (!ima_template_hash_algo_allowed(algo)) { pr_err("invalid hash algorithm \"%s\" for template \"%s\"", str, IMA_TEMPLATE_IMA_NAME); return 1; @@ -63,13 +66,7 @@ static int __init hash_setup(char *str) goto out; } - i = match_string(hash_algo_name, HASH_ALGO__LAST, str); - if (i < 0) { - pr_err("invalid hash algorithm \"%s\"", str); - return 1; - } - - ima_hash_algo = i; + ima_hash_algo = algo; out: hash_setup_done = 1; return 1; diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c index c25079faa208..b030edb33fa6 100644 --- a/security/integrity/ima/ima_template.c +++ b/security/integrity/ima/ima_template.c @@ -128,7 +128,7 @@ static int __init ima_template_setup(char *str) * by the 'ima' template. */ if (template_len == 3 && strcmp(str, IMA_TEMPLATE_IMA_NAME) == 0 && - ima_hash_algo != HASH_ALGO_SHA1 && ima_hash_algo != HASH_ALGO_MD5) { + !ima_template_hash_algo_allowed(ima_hash_algo)) { pr_err("template does not support hash alg\n"); return 1; } diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index c877f01a5471..7efae3041a40 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c @@ -13,14 +13,6 @@ #include <linux/xattr.h> #include <linux/evm.h> -static bool ima_template_hash_algo_allowed(u8 algo) -{ - if (algo == HASH_ALGO_SHA1 || algo == HASH_ALGO_MD5) - return true; - - return false; -} - enum data_formats { DATA_FMT_DIGEST = 0, DATA_FMT_DIGEST_WITH_ALGO, diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h index 9f7c335f304f..c4663595f1c8 100644 --- a/security/integrity/ima/ima_template_lib.h +++ b/security/integrity/ima/ima_template_lib.h @@ -66,4 +66,12 @@ int ima_eventinodexattrlengths_init(struct ima_event_data *event_data, struct ima_field_data *field_data); int ima_eventinodexattrvalues_init(struct ima_event_data *event_data, struct ima_field_data *field_data); + +static inline bool ima_template_hash_algo_allowed(int algo) +{ + if (algo == HASH_ALGO_SHA1 || algo == HASH_ALGO_MD5) + return true; + + return false; +} #endif /* __LINUX_IMA_TEMPLATE_LIB_H */ -- 2.36.0